From 16e451a7d89a57d3503952fe27122e1775474823 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 15 May 2010 09:04:32 -0700 Subject: [PATCH] Add 'required' interface option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 12 ++++-- Shorewall/Perl/Shorewall/Zones.pm | 25 ++++++++++++ manpages/shorewall-interfaces.xml | 56 ++++++++++++++------------- manpages6/shorewall6-interfaces.xml | 14 +++++++ 4 files changed, 77 insertions(+), 30 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 686abe707..4db5ca2db 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -836,13 +836,15 @@ sub lookup_provider( $ ) { # # This function is called by the compiler when it is generating the detect_configuration() function. -# The function emits code to set the ..._IS_USABLE interface variables appropriately for the -# optional interfaces +# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the +# ..._IS_USABLE interface variables appropriately for the optional interfaces # -# Returns true if there were optional interfaces +# Returns true if there were required or optional interfaces # sub handle_optional_interfaces() { + my $returnvalue = verify_required_interfaces; + my $interfaces = find_interfaces_by_option 'optional'; if ( @$interfaces ) { @@ -877,8 +879,10 @@ sub handle_optional_interfaces() { 'fi' ); } - 1; + $returnvalue = 1; } + + $returnvalue; } # diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 596a96827..e0f44aeeb 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -69,6 +69,7 @@ our @EXPORT = qw( NOTHING find_interfaces_by_option get_interface_option set_interface_option + verify_required_interfaces validate_hosts_file find_hosts_by_option all_ipsets @@ -223,6 +224,7 @@ sub initialize( $ ) { nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, proxyarp => BINARY_IF_OPTION, + required => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST, routefilter => NUMERIC_IF_OPTION , sourceroute => BINARY_IF_OPTION, @@ -251,6 +253,7 @@ sub initialize( $ ) { nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, proxyndp => BINARY_IF_OPTION, + required => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST, sourceroute => BINARY_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -915,6 +918,8 @@ sub process_interface( $$ ) { } } + fatal_error "Invalid combination of interface options" if $options{required} && $options{optional}; + if ( $netsref eq 'dynamic' ) { my $ipset = "${zone}_" . chain_base $physical; $netsref = [ "+$ipset" ]; @@ -1169,6 +1174,26 @@ sub set_interface_option( $$$ ) { $interfaces{$interface}{options}{$option} = $value; } +# +# Verify that all required interfaces are available +# +sub verify_required_interfaces() { + + my $interfaces = find_interfaces_by_option 'required'; + + if ( @$interfaces ) { + for my $interface (@$interfaces ) { + my $physical = get_physical $interface; + + emit qq(if ! interface_is_usable $physical; then); + emit qq( startup_error "Required interface $physical not available"); + emit qq(fi\n); + } + + 1; + } +} + # # Process a record in the hosts file # diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index 165538aed..9dff89245 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -107,6 +107,8 @@ loc eth2 - proxyarp + required + routefilter sourceroute @@ -382,7 +384,7 @@ loc eth2 - - nosmurfs + nosmurfs Filter packets for smurfs (packets with a broadcast @@ -416,31 +418,24 @@ loc eth2 - - + May not be specified with required. -
- I specify on interfaces to - Xen virtual machines that may or may not be running when - Shorewall is [re]started. - - - - - Use at your own risk. If - you [re]start Shorewall when an 'optional' interface is - not available and then do a shorewall - save, subsequent shorewall - restore and shorewall -f - start operations will instantiate a ruleset that - does not support that interface, even if it is available - at the time of the restore/start. - -
+ + Use at your own risk. If you + [re]start Shorewall when an 'optional' interface is not + available and then do a shorewall save, + subsequent shorewall restore and + shorewall -f start operations will + instantiate a ruleset that does not support that interface, + even if it is available at the time of the + restore/start. +
- physical=physical=name @@ -486,6 +481,17 @@ loc eth2 - + + required + + + Added in Shorewall 4.4.10. If this option is set, the + firewall will fail to start if the interface is not usable. + May not be specified together with optional. + + + routeback @@ -523,11 +529,9 @@ loc eth2 - the INTERFACE column. -
- This option can also be enabled globally in the shorewall.conf(5) - file. -
+ This option can also be enabled globally in the shorewall.conf(5) + file.
diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index 5a419c137..ec96f69c3 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -186,6 +186,9 @@ loc eth2 - cannot be obtained. + + This option may not be specified together with required. @@ -211,6 +214,17 @@ loc eth2 - + + required + + + Added in Shorewall 4.4.10. When specified, the firewall + will fail to start if the interface named in the INTERFACE + column is not usable. May not be specified together with + optional. + + + routeback